none
Intranet not Internet RRS feed

  • Question

  • Hello everybody,

    The PCs of my Lab are connected to a switch, the switch to the server (HP PROLIANT with Windows Server 2012), the Server to a firewall, the firewall to the router. The router allows the Internet connection.

    The PCs are in a domain: lab.domain

    Any user has its domain account, so it can access the network shared resources.


    The aim of my question is: I would like to disconect the Lab's PCs from Internet but not from the Intranet resources.

    Please, any suggestion is appreciated.


    Thanks in advance.

    Wednesday, November 14, 2018 9:34 PM

All replies

  • Hello one quick way would be not to assign DNS address on domain computers via DHCP server or assign a non-existent DNS address like 0.0.0.0 :D
    Wednesday, January 2, 2019 7:31 PM
  • Hello one quick way would be not to assign DNS address on domain computers via DHCP server or assign a non-existent DNS address like 0.0.0.0 :D

    This would make a cute practical joke, but wouldn't actually cut the machine off from the internet.  You wouldn't be able to resolve domain names (like microsoft.com or google.com) to IP Addresses, so you'd break webbrowsing and probably email I/O, but anyone from the internet could still access your PC (as firewall exceptions allow) and anyone with access to the PC could still retrieve the webpage at google.com if they resolved DNS from another system, and anyone could just re-add the DNS.

    In all cases your first step is to assign a static LAN IP to the lab PC, or better yet dig into the machine and get its network adapter's MAC Address.

    If the Server is a Domain Controller but not a Web Proxy, then you configure firewall rules that refuse to forward any I/O to/from the target PC's IP or MAC Addresses.  MAC preferred because while it can be changed by a system admin, it's harder to do and most wannabe technogurus don't even know about it.

    If the Server is indeed a Proxy, then you configure the proxy platform to exclude I/O to/from the target PC.

    There are other options that are better, including putting in a new router+switch and configuring that whole subnet to disallow requests anywhere but class A/B/C addresses.  That would let you de/allocate WAN vs LAN limits just by moving cables from one device to the other at your demarc, but can get expensive. 

    Depending on the quality of your switch you may be able to program it to do the same thing for specific I/O ports.

    Great answer , but would you buy all this equipment and configure it the way you describe just for your home lab ? If you have a few dollars to spend then I am with you. 

    Thursday, January 3, 2019 8:59 PM